Expect CalPrivacy Fines to Rise After $56K Penalty Against Marketing Firm, Lawyer Says
The modest fine of $56,000 that California Privacy Protection Agency’s (CalPrivacy) assessed against a company recently for failing to register as a data broker (see 2512030029) “may be the last penalty we see of this size,” said Dentons privacy attorney Dalton Cline, who sees several factors increasing monetary burdens on violators in the future.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The agency's decision against ROR Partners, a marketing firm, said the company violated the state's Delete Act.
Penalties should escalate because of the “expected increased fines for not complying with registration and deletion requirements in 2026,” Cline told Privacy Daily in an email. While CalPrivacy's fines for data brokers this year have been in the range of "$34,400 to $56,600 … data brokers will also incur [daily] penalties of $200 for each deletion request for each day” they fail to delete the information, starting Aug. 1.
Cline said that “depending on the level of adoption by California residents, unregistered data brokers may incur millions of dollars in fines very quickly.” He added: “Up until this point, I can imagine that, if you are a data broker, you might make the calculation that the revenue you generate from California consumers is worth more than the penalty you may face. But very soon that calculation may change.”
"The recent California enforcement actions against data brokers signal something more consequential than the immediate" fines, Fox Rothschild's Odia Kagan told us, commenting generally on the issue. "They show that many companies may be classified as ‘data brokers’ under California law without realizing it," which "could subject them to steep fines and additional enforcement in 2026."
The penalties "are significant but manageable" now, but the Delete Act changes that. "If a company doesn’t realize it is a data broker, it won’t register and won’t participate in the deletion mechanism, which means it will automatically fail to delete, and the fines for that are steep," she said.
Moreover, other states are copying California. Data broker "registration requirements are popping up across the U.S.,” including in Texas, Oregon and Vermont (see 2503270009), Cline said. Still, other states may have “additional regulatory obligations such as those under the proposed New Jersey Data Privacy Act (see 2509120026) regulations,” which means “that the compliance burden for data brokers, and their attendant legal risk, is only increasing as time goes on.”
Kagan agreed. "A California determination may render you susceptible to enforcement by other [states’] regulators."
In addition, Cline anticipates multistate enforcement for privacy violations is a matter of "when, not if ... similar to what occurs with data breach litigation." This is especially so since the same people in the consumer protection divisions of state attorney general offices often handle enforcement, he added.
Paired with an increase in fines is a rise in investigations, Troutman lawyer David Stauss said in a blog post. That CalPrivacy fined ROR Partners, a marketer, means it's "closely scrutinizing not only entities that have registered as data brokers but also entities it believes should be registered.” CalPrivacy's broad definition of what it means to be a data broker “is particularly notable,” he added.
Additionally, California’s data broker law was amended by a bill the governor signed in October (see 2510060033) to require more information from data brokers when they register, including whether they have “shared or sold consumers’ data to (1) a foreign actor, (2) the federal government, (3) other state governments, (4) law enforcement (unless done pursuant to a subpoena or court order), or (5) a developer of a GenAI system or model,” Stauss said.
Also, when the state's new Delete Request and Opt-out Platform (DROP) comes out next year (see 2511100015), it must be accessed “at least once every 45 days” by data brokers, who must then “process deletion requests from California residents” registered with the system, the lawyer noted.
Cline noted that the ROR “complaint itself is extremely straightforward,” and based on the marketer's "public statements.” Accordingly, a key takeaway is that "a company’s public-facing statements and documentation are what are most likely to attract regulatory scrutiny.”
As such, companies should “review [their] public disclosures," including marketing materials, and "verify that [the] most visible parts of your compliance program, like your use of automatic information collection technologies, data subject rights mechanism, and privacy notice, can withstand regulatory scrutiny,” Cline said.
Robinson+Cole lawyer Kathryn Rattigan recommended in a blog post Thursday that companies check their registration status as well as “procedures for responding to consumer deletion requests.”
CalPrivacy also noted that compliance with the California Consumer Privacy Act (CCPA), not just the Delete Act, will be a focus of its new Data Broker Strike Force (see 2511190041). Stauss said, “Future data broker enforcement actions will focus on more than just a failure to register." California regulators will take "a deeper dive into a data broker’s CCPA compliance activities."
Rattigan predicted that “other states are likely to watch California’s model carefully and may establish similar specialized units or requirements,” in the style of the strike force.
"The real message of these early enforcement actions is that companies need to assess whether they fall within the data-broker definition now, because lack of awareness won’t shield them from much larger exposure once the DELETE Act takes effect," Kagan said.